GHSA-7mx5-x372-xh87
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7mx5-x372-xh87
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-7mx5-x372-xh87/GHSA-7mx5-x372-xh87.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7mx5-x372-xh87
- Aliases
- Published
- 2021-04-20T16:40:27Z
- Modified
- 2024-09-11T21:52:47.867917Z
- Severity
-
- 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
- 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
- Summary
- Incorrect Session Validation in Apache Airflow
- Details
-
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for
[webserver] secret_keyconfig. - Database specific
{ "nvd_published_at": "2020-12-21T17:15:00Z", "cwe_ids": [ "CWE-269" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-04-08T20:26:23Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-17526
- https://github.com/apache/airflow/commit/2f3b1c780472afd4c8a93633e6633feb7083792e
- https://github.com/apache/airflow/commit/6b065840323f9a4fc8e372b458d26e419e4fa99b
- https://github.com/apache/airflow/commit/97b2735d65e95c4633966667b6db3908540f3937
- https://github.com/apache/airflow/commit/9e01476a50b9be27c4b1e6c6e24d36f290629195
- https://github.com/apache/airflow/commit/a8900fa5f2b8963e9f57ba4ae5520a5d339aeaad
- https://github.com/apache/airflow/commit/dfa7b26ddaca80ee8fd9915ee9f6eac50fac77f6
- https://github.com/apache/airflow/commit/fe6d00a54f83468e296777d3b83b65a2ae7169ec
- https://github.com/advisories/GHSA-7mx5-x372-xh87
- https://github.com/apache/airflow
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-22.yaml
- https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/12/21/1
Affected packages
PyPI / apache-airflow
Package
- Name
- apache-airflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-airflow
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.10.14
Affected versions
1.*
1.8.1
1.8.2rc1
1.8.2
1.9.0
1.10.0
1.10.1b1
1.10.1rc2
1.10.1
1.10.2b2
1.10.2rc1
1.10.2rc2
1.10.2rc3
1.10.2
1.10.3b1
1.10.3b2
1.10.3rc1
1.10.3rc2
1.10.3
1.10.4b2
1.10.4rc1
1.10.4rc2
1.10.4rc3
1.10.4rc4
1.10.4rc5
1.10.4
1.10.5rc1
1.10.5
1.10.6rc1
1.10.6rc2
1.10.6
1.10.7rc1
1.10.7rc2
1.10.7rc3
1.10.7
1.10.8rc1
1.10.8
1.10.9rc1
1.10.9
1.10.10rc1
1.10.10rc2
1.10.10rc3
1.10.10rc4
1.10.10rc5
1.10.10
1.10.11rc1
1.10.11rc2
1.10.11
1.10.12rc1
1.10.12rc2
1.10.12rc3
1.10.12rc4
1.10.12
1.10.13rc1
1.10.13
1.10.14rc1
1.10.14rc2
1.10.14rc3
1.10.14rc4